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ABSTRACT 


A method for evaluating the reliability of real-time systems containing embedded rule- 
based expert systems is proposed and investigated. It is a three stage technique that 
addresses the impact of knowledge base uncertainties on the performance of expert 
systems . In the first stage, a Markov reliability model of the system is developed which 
identifies the key performance parameters of the expert system. In the second stage, the 
evaluation method is used to determine the values of the expert system's key performance 
parameters. The performance parameters can be evaluated directly by using a probabilistic 
model of uncertainties in the knowledge base or by using sensitivity analyses. In the third 
and final stage, the performance parameters of the expert system are combined with 
performance parameters for other system components and subsystems to evaluate the 
reliability and performance of the complete system. The evaluation method is demonstrated 
in the context of a simple expert system used to supervise the performance of an FDI 
algorithm associated with an aircraft longitudinal flight-control system. 


KEYWORDS : Expert S ystems; System Evaluation; Markov Models; 

Uncertain Knowledge Base Systems; Sensitivity Analyses 
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1 INTRODUCTION 


1.1 Background 

Recent applications of expert systems technology to a large class of engineering 
problems ([1] - [9]) suggest that expert systems may be useful for solving complex 
aerospace planning and control problems. Indeed, major efforts are underway to develop 
expert systems for a wide variety of aerospace applications including DARPA’s Pilot's 
Associate program [10], NASA's space station energy management system [11], and 
NASA's Systems Autonomy Technology program (SADP) [12], 

Some of the aerospace applications for which expert systems are currently being 
considered are closely associated with real-time life-critical operations. Thus, it is 
reasonable to expect that eventually such expert systems will play real-time, life-critical 
roles in these applications. As with other systems that perform life critical tasks, these 
expert systems will have to be thoroughly evaluated before they can be flight tested. This 
evaluation process is necessary to insure that reliability and performance requirements are 
satisfied. However, a satisfactory and generally accepted methodology for evaluating the 
reliability and performance of expert systems does not currently exist. 

Historically, because expert systems have not addressed life critical and/or real-time 
problems, there has not been a compelling need to address the evaluation problem. To 
date, most investigations of the evaluation problem have been either incomplete [13], 
strictly qualitative [14], [15], or problem specific [16], [17], [18] and [19]. Recently, 
NASA convened a workshop to address issues associated with verification and validation 
of knowledge based systems [20]. The lack of a general, complete and quantitative 
evaluation methodology is a major impediment to exploiting the potential of expert systems 
in aircraft and spacecraft systems. This report describes a method for performing 
sensitivity analyses on the input/output performance of an expert system in the presence of 
inexact input values and imperfect rules. This method represents a first step towards the 
development of a more general evaluation methodology. 

12 Problem Definition. 

Two types of evaluation capabilities are required to support the development of real- 
time, rule-based expert systems. First, an ability to evaluate the performance of the expert 
system itself, operating in a stand alone mode is required. The methodology to perform 
this evaluation must identify the key performance parameters of the expert system, as well 
as specify how these parameters are computed. Second, because, in general, real-time 
expert systems will be imbedded within larger systems, an ability to evaluate the effect of 
the expert system’s performance on the overall system is required. The methodology that 
is developed for this purpose must integrate the expert system's performance parameters 
into existing methods for evaluating system performance and reliability. 

1.3 Scope. 

The term expert system is often applied loosely to a large class of problem solving 
software tools. An attempt to develop a new and general evaluation methodology for such 
a large class of systems is an ambitious goal. In order to reduce the scope of the problem, 
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we have restricted the evaluation methodology to forward-chaining rule-based expert 
systems. Rule-based expert systems are an important class of knowledge based systems 
that are used to address real problems. Therefore, an evaluation methodology that 
specifically focuses on such systems is not of limited interest. 

The development of an expert system is a three stage process, any one of which can 
have an effect on the performance and reliability of the larger system into which the expert 
system is integrated. These stages are system development, software implementation and 
hardware integration. System development refers to the development of the knowledge 
representation for the assertions and rules used in the expert system and the design of the 
inference engine which operates on those rules and assertions. Software implementation is 
the process of coding the system defined in Stage 1 . Hardware integration is the process of 
porting the coded system onto a specific machine. 

This study addresses the evaluation of the product of the system development stage in 
terms of its reliability and performance. In particular, we focus on how errors in the 
assertions and the rules affect the performance and reliability of the expert system. In order 
to make the results of the evaluation useful for comparing alternative expert system designs 
and for evaluating the impact of the performance of the expert system on the overall 
integrated system, the effect of assertion and rule errors must be described by quantitative 
means. 

This study does not address the software implementation or hardware integration 
stages. In this sense, our investigation is analogous to the evaluation of the performance of 
control or Fault Detection and Isolation (FDI) algorithms, where the objective is to 
investigate stability or decision performance before considering specific problems relating 
to software and hardware implementation. 

1.4 Approach. 

The expert system performance discussed in this paper is the ability of the system to 
perform its primary function. The words performance and reliability will be used 
interchangeably to refer to this ability. The approach for evaluating expert system 
performance consists of two stages. In the first stage, an overall system reliability model is 
developed that incorporates the expert system as a subsystem. In the approach described in 
this study, we use Markov models to characterize the reliability of the complete system. It 
will be assumed that the ability of the system to perform its primary function (what we shall 
refer to as performance), can be characterized in terms of the reliability information that is 
provided by the Markov model. We believe that Markov models represent the easiest and 
most powerful method for modeling the performance and reliability of complicated 
systems. However, the techniques described in this report could support other types of 
system modeling. 

Markov models are used to model the effects of the expert system, as well as other 
subsystems, on the performance of the complete system. This allows the key performance 
parameters of all of the subsystems (including the expert system) to be identified. These 
performance parameters must be supplied for the Markov model evaluator to evaluate 
system performance. Methods for computing these performance parameters exist for many 
types of subsystems (e.g., control systems, navigation systems, power systems, etc.). 
They do not currently exist for expert systems. 
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In the second stage of the evaluation, the parameters describing the performance of 
the expert system are computed using the evaluation methodology proposed in this report. 
The methodology provides a means of evaluating the propagation of the uncertainty in the 
expert system's knowledge base to the degree of uncertainty of the outputs produced by the 
system. The ability to compute the uncertainty in the knowledge base makes it possible to 
quantify the accuracy of the decisions being made by the expert system. For realistic 
problems where the knowledge base is large and where knowledge of the a priori input 
assertion errors and rule errors is limited, sensitivity analyses can provide greater insight 
into the impact of error propagation through the expert system's knowledge base. In this 
way the system designer will know which rules and input assertions are most critical to the 
decision-making performance of the expert system and thus shows the designer where 
effort should be made in reducing potential errors. 

1.5 Overview. 

The remainder of this report is divided into 4 sections. In Section 2, we describe the 
design of the rudimentary expert system that was used in this study. In Section 3, a 
Markov model of the aircraft redundancy management system is developed that 
incorporates the expert system. This model is then used to demonstrate the effect of the 
expert system on the reliability of the system and to identify the important performance 
parameters of the expert system. In Section 4, we present the evaluation methodology and 
discuss the use of the methodology to perform sensitivity analyses. Section 5, contains an 
example of the evaluation methodology being applied to the aircraft redundancy 
management system described in Section 2. Section 6 contains our conclusions and 
recommendations for further research. 
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2 THE EXPERT SYSTEM 

2.1 Motivation 

In order to exercise and demonstrate the evaluation methodology it was necessary to 
develop a test case expert system. The test case system had to satisfy several important 
criteria to be useful for this effort. First, the expert system had to be simple. It was 
important to keep the scope of the evaluation methodology to a modest effort because no 
previous work had been done in this area. Concentrating on simple problems was felt to be 
more productive than becoming too ambitious. Second, the expert system had to be 
oriented toward real-time applications because it is in this situation where rigorous 
evaluation is critical. For these two reasons it was decided to develop our own expert 
system to support the development of the evaluation methodology. Developing our own 
expert system had the advantage of allowing us to limit the scope of the problem to keep it 
simple. 

22 The Application 

The application selected for the demonstration expert system is the task of monitoring 
the decision making process of an FDI algorithm onboard an aircraft with redundant 
control-surfaces. Such an aircraft can tolerate certain combinations of control surface 
failures and remain flying. The objective of this expert system is to reduce the false alarm 
rate of the FDI algorithm. False alarms in FDI algorithms can cause unfailed resources to 
be taken off-line, which may degrade the performance of the system and ultimately reduces 
system reliability. Therefore, reducing the adverse effects of false alarms can therefore 
j increase the reliability of the aircraft, 

i 

FDI algorithms produce false alarms for three major reasons. First, it is necessary 
for FDI algorithms to be conservative because undetected failures (often referred to as 
uncovered failures) can often lead to system loss. Second, it is necessary for FDI 
algorithms to make fast decisions using minimum amounts of data because of the extremely 
short time constraints of most aircraft control systems. This increases the likelihood that 
noisy sensor measurements will cause false alarms. Third, it is often difficult for FDI 
algorithms to isolate failures to the faulty component once they are detected. For example, 
it is difficult to distinguish between flap and aileron failures. 

The expert system used in this study is intended to operate in parallel with an FDI 
algorithm, liie expert system will identify false alarms and will allow unfailed resources to 
be returned to active use. This expert system will be referred to as the FDI Monitor expert 
system. The purpose of this expert system is to monitor the performance of the traditional 
FDI system in an attempt to discover false alarms. In effect, the FDI Monitor expert 
system's job is to scrutinize the decisions of the FDI system and make sure that the FDI 
does not remove unfailed resources from the configuration. This application was selected 
because it is a real-time application for an expert system and because the rules could be 
developed in the short time frame of the study. The expert system can do a better job of 
assessing the failure status of the resources than the FDI because of two advantages. First, 
the expert system will have seconds instead of milliseconds (as does the FDI) to make its 
decisions. This will allow the expert system to base its decisions on many measurements, 
reducing the effects of measurement errors on its decisions. Second, the expert system will 


- 4 - 


be given the authority to command small maneuvers to help correcdy isolate failures. It is 
assumed that the expert system will not command maneuvers that can crash the aircraft. 

The complete redundancy management system for the aircraft flight control system 
consists of the FDI algorithm, the Reconfiguration algorithm and the Expert System as 
shown in Figure 1. Both the FDI system and the Expert System make decisions about the 
status (component failures) of the aircraft. The FDI system makes its decisions at a high 
frequency using limited data, while the Expert System makes its decisions at a low 
frequency using large amounts of data. The Reconfiguration algorithm takes the current 
indication of the system's status (which can be updated by either the FDI system or the 
Expert System) and reconfigures the system to (1) remove newly declared failed 
components from active use and to (2) restore newly declared functional components to 
active use. The FDI system is responsible for declaring components to be failed, while the 
Expert System is responsible for declaring components to be functional. In this 
implementation, the Expert System is only concerned with examining the failure status of 
components that have previously been identified as failed by the FDI. Therefore, the 
Expert System will only be concerned with a small number of the total components in the 
system and in the case where no failures have been declared by the FDI, the Expert System 
will be idle. 



Figure 1. Architecture of the Expert System Redundancy Management 

The scope of the redundancy management problem has been limited to the 
longitudinal flight control surfaces of a fighter aircraft. We assume the aircraft to have 2 
elevators and 2 canards and that the aircraft is controllable using any three of the four 
surfaces. We also assume that an undetected failure of any surface leads to the loss of the 
aircraft. These assumptions were made to limit the complexity of the problem and do not 
affect any of the results that are presented in this report. The primary motivation for the 
simplifications were to keep the scope of the problem within the resources and intent of the 
study. 
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23 The FDI Monitor Expert System. 

The FDI Monitor Expert System operates whenever the FDI algorithm indicates that a 
failure of a control surface has occurred. This expert system was built to support the 
development of the evaluation methodology and is not meant to represent an actual design 
for a real aircraft. The Expert System operates in two stages. First, filtered measurements 
and predictions about aircraft pitch rate and control surface deflections are generated. Then 
the Expert System uses this information in combination with its knowledge base to make 
decisions about the status of the control surface in question. For the remainder of this 
discussion the index (i) will refer to a control surface where i = 1 => port canard, i = 2 
=> starboard canard, i = 3 => starboard elevator and i = 4 => port elevator. 

To clarify what is occurring internal to the expert system, we define four attributes 
associated with each control surface (i) ,Ay ;j = 1,2,3, 4: 

Aii = The angular deflection of control surface (i) is large. 

Aj 2 = The pitch rate response to a dither on control surface (i) is too small. 

Aj 3 = The difference between the measured and predicted angular deflection 
of control surface (i) is small. 

Aj 4 = The difference between the measured and predicted pitch rate response 
to a dither on control surface (i) is large. 

The filtered measurements and predictions that are used by the expert system in 
making decisions are referred to here as evidence. For each control surface i there are four 
pieces of evidence that are used by the Expert System, Eijo k = 1,2,3 ,4: 

Ei,i = abs[ delta(i)measurcd 1 

= The absolute value of the measured angular deflection of control 
surface (i) 

Ej, 2 = abs[ theta-dot measured] 

= The absolute value of the measured pitch rate of the aircraft resulting 
from a dither command applied to control surface ( i) 

Ej ,3 = abs[ delta(i)measured - delta(i) pre dicted ] 

= The absolute value of the difference between the measured angular 
deflection of control surface (i) and the predicted angular deflection of 
control surface (i) 

Ei,4 = abs[ theta-dot measured ’ theta-dot predicted 1 

= The absolute value of the difference between the measured and 
predicted pitch rate of the aircraft resulting from a dither command 
applied to control surface (i) 

For our purpose, it is not important how the evidence is generated. We assume that 
the evidence can be produced and that, in general, there will be errors in the evidence as the 
result of measurement and modelling errors. 

After the evidence is generated, the expert system uses the evidence in reasoning 
about the state of the aircraft. In particular, the inferences drawn by the expert system 
depend on whether or not each of the four pieces of evidence falls within specified 
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intervals. Before presenting the rules, threshold parameters that delimit those intervals for 
making these decisions are defined. These parameters represent some of the "expert" 
knowledge that is contained in the expert system’s knowledge base. We emphasize that 
there is nothing sacred about the values assigned to these parameters. They are merely 
meant to be a representative set of values that might be used for this application. In the 
following we use Tkj ow and T^high to represent the thresholds for the k 111 evidence type. 


T i ,iow = 4.5 deg Tijjgh = 5.5 deg 

T2,iow = 0.8 deg/sec T2,high = 1-2 deg/sec 

T 340 W = 0.4 deg T3,hi g h = 0.6 deg 

T 440 W = 0.7 deg/sec T^high = 1-3 deg/sec 

These threshold values imply three evidence intervals: evidence that falls below the 
lower threshold (low interval), evidence that falls between the two thresholds (mid interval) 
and evidence that falls above the higher thresholds (high interval). 


The expert system assigns probabilities to each of the possible states of the surface 
that has been declared to be failed by the FDI system (below that surface is represented by 
the index i). These assignments are based on which intervals the various pieces of 
evidence have fallen into. Here too, these probabilities are assumed to be representative of 
"expert" knowledge and should be approximately the correct values. 

The following 16 rules make up the FDI monitor expert system: 


Rules for 

assigning a probability to internal surface 

state 1: 

(1) 

IF 

El < T140W 

THEN 

Pr(State of surface i = Su) = 0.9 

(2) 

IF 

Ti 4 ow < Ei < T 1 4 iigh 

THEN 

Pr(State of surface i = Sji) = 0.2 

(3) 

IF 

Ei >Ti4,i g h 

THEN 

Pr(State of surface i = Sii) = 0.014 

Rules for 

assigning a probability to internal surface 

state 2: 

(4) 

IF 

E2 < T240W 

THEN 

Pr(State of surface i = Sj2) = 0.9 

(5) 

IF 

T240W < E2 < T24ugh 

THEN 

Pr(State of surface i = Sg) = 0.3 

(6) 

IF 

E2> T24ii g h 

THEN 

Pr(State of surface i = Si2) = 0.012 

Rules for 

assigning a probability to internal surface 

state 3: 

(7) 

IF 

E3 < T340W 

THEN 

Pr(State of surface i = Stf) = 0.8 

(8) 

IF 

T340W < E3 < T 34 ,i g h 

THEN 

Pr(State of surface i = Stf) = 0.3 

(9) 

IF 

E3 > T34,i g h 

THEN 

Pr(State of surface i = Stf) = 0.1 

Rules for 

assigning a probability to internal surface 

state 4: 

(10) 

IF 

E4 < T440W 

THEN 

Pr(State of surface i = Si 4 > = 0.02 

(11) 

IF 

T44ow< E4 < T 4 hjgh 

THEN 

Pr(State of surface i = S^) = 0.2 

(12) 

IF 

E 4 > T44iigh 

THEN 

Pr(State of surface i = Sw) = 0.85 
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(13) IF True THEN Pr(Surface i is stuck) = Pr(Si) x Pr(S 2 ) 

(14) IF True THEN Pr(Surface i is partially lost) = [1 - Pr(S 3 )] x Pr(S 4 ) 

Decision Rules: 

(15) IF Pr(S tuck) + Pr (Lost) < Thr THEN DECISION = Veto FD I 

(16) IF Pr(Stuck) + Pr (Lost) > Thr THEN DECISION = Support FDI 

Pr(Surface i is stuck) and Pr(Surface i is partially lost) are internal knowledge states 
which indicate the probability of the control surface being stuck or having lost some of its 
nominal effectiveness. These probabilities are compared to a threshold (Thr) in making the 
decision to override the FDI decision to declare the surface failed. The output of the expen 
system is the value of DECISION, which either vetos or supports the failure indicated by 
the FDI algorithm. It is the quality of this decision which will ultimately characterize the 
performance of this expert system. 
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3 MARKOV MODELS OF SYSTEMS WITH EXPERT SYSTEMS 


3.1 Background. 

It is imperative that complex systems performing life-critical missions be desensitized 
to imperfections and/or failures in their components and subsystems. This requirement has 
led to the development of fault tolerant systems that are designed to tolerate failures and 
remain operating safely. The design of a fault tolerant system requires the use of analytical 
techniques to verify the reliability of the system design. These techniques enable a designer 
to compute the reliability and expected performance of a system using reliability 
information about the system’s components and subsystems. One of the most powerful 
techniques available for performing these types of analyses is the Markov model [21]. 

Markov reliability models are developed by representing the system's status by a 
finite number of states, each of which represents an operational mode of the system. That 
is, each operational state corresponds to a combination of failed and functioning 
components of the system. At any instance during its operation, the system is operating in 
one of these states. Initially, a system will begin operation in a state corresponding to no 
failed components or subsystems. As the system continues to operate, it may experience 
failures and thus, transition to other states representing operational modes with failed 
components and/or subsystems. The rate at which these transitions occur is a function of 
the reliability and performance of the components and subsystems making up the complete 
system. A Markov model defines the operational states of a system and the transition rates 
between these states, and thus enables a designer to evaluate the reliability and performance 
of the overall system. 

32 Markov Model of the Aircraft Longitudinal Flight Control RMS. 

Markov models have been used to evaluate the reliability of a large variety of life- 
critical and fault tolerant systems consisting of many types of components and subsystems. 
In this section we demonstrate how a Markov model is used to model the aircraft 
longitudinal flight-control redundancy management system (RMS) described in Section 
2.2. Note that the simplicity of the Markov model here reflects the limited scope of the 
problem that was required to demonstrate the evaluation methodology developed here. In 
general a Markov model would consist of many more states than the 3 and 5 state models 
shown here. The Markov model of the RMS without the expert system is shown in Figure 
2. In that figure XF refers to failure level X (i.e., X is the number of failed components), 
FA denotes false alarm, DET is shorthand for detected and identified failure and SL 
represents a system loss state. 

To keep this example simple, we have assumed that the aircraft has 4 control surfaces 
of which at least three must be functional for the system to be functional. State 1 of the 
Markov model corresponds to the condition that all surfaces are functioning properly. The 
system can transition out of state 1 when (1) the FDI detects a failure or the FDI gives a 
false alarm or (2) when a failure goes undetected by the FDI. In the first situation, the 
RMS removes the appropriate surface from use and the aircraft continues to fly, (although 
at a reduced level of performance). In the second situation (an undetected failure), we 
conservatively assume a system loss. 
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1 No Surface Failures 

2 1 Surface removed from usage by the RMS 

SL System Loss 

FIGURE 2. MARKOV MODEL OF THE RMS WITHOUT THE EXPERT SYSTEM 

From this model it can be seen that the probability of a missed detection contributes 
directly to the unreliability of the system. To reduce the effects of this failure mode, an FDI 
algorithm will typically have lower detection thresholds such that the probability of missed 
detection is very small. Reducing the missed detection rate will, unfortunately, increase the 
false alarm rate. This means that part of the time, the aircraft will be operating in state 2 
(one surface not being used) even though the surface has not failed. As a result, the aircraft 
is (unnecessarily) sacrificing performance for the sake of reliability. The purpose of the 
expert system is to reduce the false alarm rate of the RMS. 

The state transition matrix for this model can be specified in terms of the performance 
parameters of the aircraft flight control surfaces and the FDI algorithm. Let X be the failure 
rate of the flight control surfaces, let p be the false alarm rate of the FDI and let p be the 
conditional probability that the FDI detects a failure given that a failure has occurred. 
Using these definitions, the state transition matrix for the Markov model described above is 
given by 


1 - \i At - 4 X At 0 

O(At) = p. At + 4 X At P 1 - 3 X At 
4XAt(l-P) 3 X At 


(3.2-1) 


where <l>ij(At) is the probability of transitioning from state j to state i over the time interval 
of length At. The factor of four accounts for the four control surfaces. Here we have 
assumed that all surfaces have the same failure rate X and we have aggregated the two 
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system loss states into a single state (the third element of the state transition matrix.) Note 
that the expression in (3.2-1) is an approximation for the state transition probability matrix 
that holds for small At, (e.g. At < 0.02 hours; during which the probability of two 
simultaneous failures is small enough to be neglected). 

The state transition probability matrix is used to evaluate the probability that the 
system is in a particular operational state as a function of time as follows. For example, 
assume X. = 1.0e-5 failures/hour, p. = 1.7248e-4 false alarms/hour, p = 0.98 and use 
At = 0.0167 hours (1 minute), then the state transition matrix for the system is given by 


0(0.167 hour) 


'0.999996453333 0 

3.533333e-6 0.9999995 

. 1.3334e-8 5.0e-7 


0 

0 

1 


J (3.2-2) 


The reliability of the system is defined as the probability that the system is in a non-system- 
loss state. This reliability can be computed for the time interval of interest as follows. 
Define the state probability vector 7t(t I Jto) as the vector whose element is the probability 
of the system being in state i at time t given an initial state probability distribution at time 0 
of no (the explicit conditioning on no will be eliminated from here on). The value of 7t(t) is 
computed by raising the state transition matrix to the appropriate power (i.e., t/At) and 
multiplying by the initial distribution 7to: 


n (1 hour) = <D(0.167 hour) 60 7 Co 


Kq = 


1 
0 
L 0 


(3.2-3) 


where here we have assumed that the aircraft begins operating in the no failure state at to. 
Performing this calculation, one can show that the state probability vector for the system 
after 1 hour of operation is given by 


I 


JE (1 hour, P = 0.98) 


0.9998677 

2.1166325e-4 

8.030689e-7 


(3.2-4) 


Similarly, one can show that the state probability vector for the system after 1 hour of 
operation for the case of perfect FDI coverage (3 = 1) is given by 


n (1 hour, P = 1) 


0.999789 

2.12375e-4 

3.1326592e-9 


(3.2-5) 
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The reliability at one hour is the sum of the probabilities of being in slates 1 and 2 (the non- 
system-loss states). This reliability measure will be used later as a means of comparing the 
flight-control system with and without the expert system. 

33 Incorporating the Expert System into the Markov Model. 

After a Markov model has been developed for the overall system, the next step in the 
evaluation process is to integrate a quantitative characterization of the performance of the 
expert system into that model. The resulting Markov model for the Redundancy Manage- 
ment System (RMS) with the embedded expert system is shown in Figure 3. Integrating 
the expert system into the original Markov model requires the introduction of two new 
states (A and B). State A corresponds to the situation where the FDI has generated a false 
alarm. State B corresponds to the situation where the FDI correctly detects a failure of one 



STATE SIM DESCRIPTION 


1 

A 

B 

2 

SL 


1 No Surface Failures 

2 No Surface Failures, FDI indicates failure (FA) 

3 1 Surface failure, FDI detects failure (DET) 

4 1 Surface removed from usage by the RMS 

5 System Loss 


^ Transitions due to the FDI and Failures 


Transistions due to the Expert System 


Figure! Markov model of the RMS with Expert System 

I 


I 
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of the surfaces. These two additional states arc needed to capture the impact of the expert 
system on the reliability of the RMS. In the original RMS, there was no need to 
differentiate, in terms of system performance, between a correctly detected failure and a 
false alarm. For both cases, the RMS system removes a surface from active use. Of 
course in the case of a false alarm there is no need to do so. For the case of the RMS with 
the embedded expert system, this no longer holds true. A False alarm by the FDI does not 
imply that the system automatically transitions to state 2. There is now the possibility that 
the expert system will catch the false alarm and return the surface to active use. This 
transition (from state A back to state 1) can be thought of as a repair mode for the RMS that 
is the result of adding the expert system to the RMS. 

Of course there is a caveat. The expert system can improve system performance and 
reliability by correcting false alarms, but it can also decrease performance and reliability by 
incorrectly declaring an actual failure to be a false alarm. This failure mode, due to 
erroneous decisions made by the expert system, is indicated by the transition from state B 
to system loss. (Here we assume that when the expert system incorrectly declares a false 
alarm the effect on the system is the same as an undetected failure, which we assumed to be 
a system loss.) It should be noted that there are no transitions from either state A or B to a 
system loss state at the second failure level. This occurs because we have assumed that the 
time span between entering states A or B and exiting these states is sufficiently small to 
neglect the possibility of a failure during this period. This assumption was made only for 
simplicity. If desired, such transitions could be accounted for within the Markov model. 

It can be seen that the impact of the expert system on the overall performance of the 
system depends on the two performance parameters P(correcting a false alarm) and 
P(vetoing a correctly identified failure). Ideally one would like the expert system to be 
designed so that P(correcting a false alarm) = 1 and P(vetoing a correctly identified 
failure) = 0. These two parameters characterize the performance of the expen system 
discussed in this example. In general, the performance parameters for any given expen 
system will differ from the performance parameters of our example system; however, they 
can be obtained by constructing a Markov model in a similar manner to that outlined above. 
In Section 4, we discuss our approach to computing these expert system performance 
parameters. 

In addition to the performance parameters of the aircraft flight control surfaces and the 
FDI algorithm (X, p and |3), the state transition matrix for the Markov reliability model that 
includes the expert system is also specified in terms of the expert system performance 
parameters: P(correcting a false alarm) and P(vetoing a correcdy identified failure). Let 
a = P(correcting a false alarm) and let £ = P( vetoing a correctly identified failure). Using 
these definitions, the state transition matrix for this Markov model is given by 


0>(At) = 


1 -\i *-4XAt 
11 At 
4 X At ji 
0 

4 X At (1 - p) 


a 

0 

0 


(1 -a) 
0 


0 

0 

0 

0-0 

c 


o 

o 

o 

1-3 \AL 
3 XAt 


0 

0 

0 

0 

1 


(3.3-1) 
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where the states indicated in Figure 3 have been ordered 1, A, B, 2, SL. The state 
transition matrix for this system differs from typical state transition matrices in that it 
contains a nonzero element in the upper right diagonal [<l>i 2 (At) = a]. Transition 
probabilities in the lower left diagonal represent transitions to states of increased failures, 
while transition probabilities in the upper right diagonal represent transitions to states of 
decreased failures. For many systems it is not possible to repair a failure during operation 
and therefore the upper right diagonal typically consists of zeros. 

The reliability and performance of the new system that includes the expert system can 
be evaluated in the same manner as shown in Section 3.2. However, before this evaluation 
can be performed, it is necessary to assign values to the key expen system performance 
parameters in a systematic fashion. The determination of these expert system performance 
parameters is discussed in the next section. 
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4 EVALUATION OF EXPERT SYSTEMS 


4.1 Rule-Based Expert Systems. 

A rule-based expert system is a reasoning program consisting of a knowledge base 
and an inference engine. The knowledge base consists of an assertion base - a collection of 
assertions (facts) about the current state of the world, and a rule base - a set of EF-THEN 
rules that operate on the assertions contained in the assertion base. The inference engine is 
a control mechanism which selects and applies rules to the assertion base in order to 
generate new assertions and/or decisions (actions). Viewed as a black box, a rule-based 
expert system generates assertions and decisions from incoming real time assertions. The 
performance of rule-based expert systems is characterized by the accuracy of its assertions 
as shown in Figure 4 and by the quality of its decisions. The objective in developing an 
evaluation methodology is to quantify what is meant by assertion accuracy and decision 
quality. 


A Priori Rules 


A Priori 
Assertions 

Real Time 
Assertions 



Figure 4. block diagram of a generic Rule-Based expert System 

Any errors in the output of the expert system (assuming that there are no errors in the 
inference engine or logical errors in the software) are due to errors in the rule base (the a 
priori rules) and errors in the assertion base (the a priori and real-time assertions). 
Therefore, the analysis presented here focussed on how to quantify output errors as a 
function of these two classes of input errors. 








4.2 Knowledge Base Errors. 

The performance of an expert system is a function of the uncertainty in the expert 
system's knowledge base. It is necessary to model this uncertainty as it evolves in time if 
we are to successfully evaluate the performance of expert systems in real-time environ- 
ments. As mentioned in the introduction, uncertainties in the knowledge base occur as the 
result of assertion errors and rule errors. 

The effect of an Assertion Error occurs when an inference is made using faulty data. 
For example suppose we have a rule of the form: IF Ai and A 2 THEN A 3 . When the 
knowledge base of the expert system holds Aj and A2 to be true and, in reality, Aj is false, 
then A3 will be held true even though in reality it may not be true. The error in A3 is the 
result of an assertion error in Aj. Thus, the effect of such an assertion error can become 
magnified as it is propagated through the system. 

The effect of a Rule Error occurs when an inference is made using a faulty rule. For 
example suppose we again consider the rule IF Ai and A 2 THEN A 3 . In reality, this 
inference may not always be true. There may be some situations where Ai and A2 do not 
imply A3. In this case, errors have been introduced into the knowledge base as a result of 
the faulty rule and not because of faulty data. Of course assertion errors and rule errors 
may also serendipitously interact with each other to cancel each others erroneous effects 
and thus lead to a correct inference in spite of the knowledge base errors. The purpose of 
developing the evaluation methodology is to quantify the effects of the propagation of 
errors through the knowledge base due to both sources. We do this using a probabilistic 
model of uncertainty. 

43 Error Model. 

We now present an error model for rules and assertions in an expert system of the 
form: If Aj n THEN A ou t where A^ and A out are the input (antecedent) and output 
(consequent) assertions of the rule, respectively. Before we present the error mode we first 
define our notation. We assume that the expert system holds assertions Aj n and Aout to be 
true with probabilities Pxs(Ain) and Pxs(Aout), respectively, while in reality Aj n and Ao Ut 
will be true with probabilities P(Ain) and P(Aout)- Assertion errors are represented as the 
difference between the true probability and the expert system's probability and are defined 
using the A notation as follows: 


AP(Ai„) = P(Ain) - Pxs(Ai„) (4.3-1) 

AP(Aout) * P(Aout) ‘ Pxs(Aout) (4-3-2) 

Similar conventions could be adopted for systems employing certainty factors or 
belief functions to represent uncertainty. Indeed, the expert system will rarely hold the 
correct (truth) values for the certainty factors for the former or support and plausibilities for 
the latter. 

The accuracy of a rule can be captured by the conditional probabilities PfAom I Ain), 
P(A ou t I ~Aj n ), and P X s(A 0 ut I Aj n ), Pxs(A ou t I ~Ai n ) where again no subscript represents 
the correct or truth values and the subscript XS corresponds to the values assumed by the 
expert system. Rule errors are defined as the difference between the true conditional 
probabilities and the conditional probabilities assumed by the expert system. The notation 
"‘'Ajn denotes the event not(A; n ). Following the convention in (4.3-1) and (4.3-2), rule 
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errors are expressed as: 

AP(Aout I Ain) = P(Aout I Ain) * Pxs(^out I Ajn) (4.3-3) 

AP(Aout I ~Ain) = P(Aout I ~Ajn) - Pxs(Aout I ~Ajn) (4.3-4) 

For the rule If Aj n THEN A 0 ut it follows that P X s(A ou t ' Aj n ) =1. If the rule were 
modified to read If Aj„ THEN A ou t with P(A out ) = 0.7, then P X s(Aout 1 Ajn) = 0.7. Note 
that our notation allows us to work with expert systems that reason using uncertainty. 

The preceding definitions establish the notation for representing errors in both 
assertions and rules. Again using the generic rule: If Aj n THEN A ou t. we now present the 
method for computing the error in the output of the rule [AP(A ou t)]> in terms of the error 
notation described above. AP(A out ) is computed by first recalling its definition 


AP(Aout) - P(Aout) ■ Pxs(Aout) (4.3-5) 

Using the law of total probability, the actual and expert system probabilities for the 
assertion Ao Ut can be expressed as 

P(Aout) = P(Aout I Ain) P(A in ) + P(Ao Ut I ~A in ) P(~Ain) (4.3-6) 

Pxs(Aout) = P xs(Aout I Ajn) Pxs(Ajn) + Pxs(Aout I ~Ain) P x s(~Ain) (4.3-7) 

Substituting the appropriate error definitions into these two equations and manipulating 
leads to the following result 


AP(Aout) — [ P xs(Aout I ~Ain) — P X s(Aout i Ajn) ] AP(Ajn) ", assertion errors 

+ Pxs(Ain) AP(A out I Ajn) + Pxs(~Ain) AP(Aout I ~Ain) ;rule errors 


+ AP(Ajn) AP(Ao Ut I Ajn) + AP(~Aj n ) AP(A ou t I ~Ajn) ;higher order terms 
(4.3.8) 

The error in the output assertion A out in (4.3-8) is written as (1) a first order term (linear) in 

input assertion errors [as shown on the first line], (2) a first order term (linear) in rule 

errors [as shown on the second line], and (3) a higher order term of products of the 
assertion errors and rule errors [as shown on the third line]. 

The result that we have just developed holds for the case where Ai n is a compound 
event of the form Ajn = F(Ai, A 2 , ... A n ) where F( ) refers to any function involving the 
Boolean operations AND, OR, and NOT. In this situation, however, it is necessary to 
compute the error in Ain in terms of the errors in Ai, A 2 , ... A n . In order to illustrate this 
process, expressions for the input assertion errors are developed for the Boolean operations 
listed above. 

First, recall the following definitions: 

AP(Aj) = P(Ai)-P xs (Ai) (4.3-9) 

AP(A 2 ) = P(A 2 ) - P xs (A 2 ) (4.3-10) 

AP(Ai A 2 ) = P(Ai A 2 ) - Pxs(Ai A 2 ) (4.3-1 1) 

NOT: The assertion error for Ajn when Aj n = ~Ai is given by 
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AND: The assertion error for A in when Aj„ = Ai AND A 2 is given by 

AP(Ain) = P(AiA 2 ) - Pxs(AiA 2 ) = AP(Ai A 2 ) (4.3-13) 

This characterization of AP(Ajn) contains error probabilities of joint events. To avoid 
requiring the expert system to explicitly carry knowledge of these joint events, it will be 
useful to use a linear approximation to this error term as follows. Employing conditional 
probabilities we can write 

P(Ain) = P(AiA 2 ) = P(A 2 I Ai) P(Ai) ' (4.3-14) 

Pxs(Ai„) = Pxs(Ai A 2 ) = P xs (A 2 I Ai) P xs (Ai) (4.3-15) 

subtracting (4.3-15) from (4.3-14) and using the definitions (4.3-1) and (4.3-2) gives 

AP(Ain) = AP(A! A 2 ) = P(A 2 1 Ai) P(Ai) - P XS (A 2 1 Ai) P^AO (4.3-16) 

Recall that by definition P(Ai) = P xs (Ai) + AP(Ai), therefore: 

AP(Ain) = P(A 2 1 Ai) [ P xs (Ai) + AP(Ai) ] - P XS (A 2 1 Ai) P^Ai) (4.3-17) 


AP(Ain) = P(A 2 1 AO AP(Ai)+ [ P(A 2 1 A,) - P XS (A 2 1 AO ] P«(A0 (4.3- 1 8) 

Also recall that by definition AP(A 2 I AO = [ P(A 2 1 AO - P X s(A 2 I AO ] l . Using this 
definition, (4.3-18) can be rewritten as 


AP(Ain) = P(A 2 IA0AP(A0 + Pxs(A0AP(A 2 IA0 

= Pxs(A 2 IA0AP(A0 + P xs (A0AP(A 2 IA0 

; I inear in error terms 

- AP(A 2 IA0AP(A0 

;nonlinear in error terms 


(4.3-19) 


Neglecting the nonlinear terms gives an expression for AP(Ai„) that is first order in error 
terms. 


O ft : The assertion error for A® when Ain = Ai OR A 2 is given by 

APCAjn) = AP(AO + AP(A 2 ) - AP(Ai A 2 ) 

= AP(A 2 ) + (1 - P xs (A 2 IA0)AP(A0 - P xs (A0AP(A 2 IA0 ;linear 
+ AP(A 2 1 AO AP(Ai) ;nonlinear 

(4.3-20) 

Where (4.3-20) has been obtained by substituting for AP(Ai A 2 ) from (4.3-19). 

^ere we assume that the expert system's rule base is sufficiently rich to either explicitly or implicitly 
contain this conditional probability. 
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In the more general case, where F( ) is a more complicated Boolean function, the 
error in Ain can be computed by repeated applications of the preceding three results. 

The preceding evaluation method can be used to compute the errors introduced into 
the knowledge base of the expert system by assertion and rule errors for the firing of a 
single rule. To compute the errors resulting from many inferencing cycles, it is necessary 
to apply the evaluation method to each rule as it is fired and keep track of the resulting 
propagated errors. A preliminary approach to the problem of error propagation follows. 


4.4 Error Propagation 

The error model defined in 4.3 demonstrates how assertion and rule errors can 
introduce additional errors into the knowledge base through the application of a single rule. 
In order to utilize this information to evaluate the performance of a rule based system, it is 
necessary to propagate the effects of uncertainty through an inferencing cycle (the 
application of many rules). There are two approaches that can be used to investigate the 
propagation of uncertainty through an inferencing cycle. The first approach is to compute 
the values of the output assertion errors AP(A ou i) as a function of the input assertion errors 
and the rule errors as described in Section 4.3. A difficulty encountered with this approach 
is that one must know with high accuracy the values of the input assertion errors and the 
rule errors. In other words, this method requires one to have a good understanding of the 
error sources for the rule based system of interest. In practice these error sources are not 
well understood and, therefore, will not be known to sufficient levels of accuracy to leave 
one confident in the computed value of the output assertion errors. However, in situations 
where the input assertion errors AP(Ajn) and the rule errors AP(Ao U t I Ai n ) and AP(Ao U t ' 
~Ajn) are well defined, then uncertainty can be propagated through the knowledge base by 
repeatedly applying the error propagation equations defined in 4.3 for each rule that fires. 

An alternative approach for investigating the propagation of uncertainty through the 
knowledge base is to perform sensitivity analyses. In this case, the sensitivities of the 
values of AP(Aout) to errors in both rules and a priori and real-time input assertions are 
computed rather than the actual values of AP(A out ). That is, in situations where the input 
assertion errors and rule errors are not accurately known, sensitivity analyses can be used 
to determine those errors to which the quality of the information contained in the 
knowledge base is the most sensitive. In the remainder of this section we present a method 
by which a sensitivity analysis of a rule based system can be performed using the error 
models developed in 4.3. 

Our discussion of the development of the sensitivity analysis begins by recalling 
Equation (4.3-8), the relation between output assertion errors and input assertion and rule 
errors for the firing of a given rule: 


AP(Aout) = [ Pxs(Aout I ~Ain - Pxs(Aout I Ajn) ) ] AP(Aj„) ; assertion errors 

+ Pxs(Ain) AP(Ao Ut 1 Ain) P xs(~Ain) AP(Aout I ~Ajn) ;rule errors 

+ AP(Ain) AP(Aout I Am) + AP(~Ain) AP(Aout I ~Ain) ;higher order terms 

(4.3.8a) 

This relation can be expressed in shorthand notation as: 
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AP(Aout) - [Ca] xs AP(Ai n ) + [Cjn] xs AP(A 0U [ I Aj n ) + [C~inJ xs AP(A ou t I ~Aj n ) 

+ higher order error terms (4.3-8b) 

where [*) xs represents a quantity that is explicitly known within the expert system. 
Neglecting the higher order error terms (i.e., assuming that the values of second order error 
terms can be neglected when compared to first order values), (4.3-8b) can be re -expressed 
as 


AP(A in ) 


AP(Aout) - [[C A ] XS * [Qn] xs • [C-i n ] xs ] 


AP(A out IA in ) 


AP(A out l ~A in ) 


AP(A in ) 1 



AP(A out IA in ) 


AP(A out l~A in ) 


(4.4- la) 


where [c] xs [[C A ] XS • [Cjn] xs • [C_jn] xs ] 

Equations (4.3-12), (4.3-19) and (4.3-20) illustrate that the term AP(Ajn) in (4.3-8b) 
can be replaced by the general form (again, this is an approximation that is linear in error 
terms ): 


AP(A in ) = [ [A] xs : [Ai,j] xs ] 


AP(A) 


AP(A i IA j ) 


(4.4- lb) 


where the nature of the terms [A]^ and [Aj|j] xs depends an the Boolean nature of Ai n and 
where A is the (nxl) vector of all input and output assertions contained in the knowledge 
baseband AP(A) is the (nxl) vector of the errors in those assertions. Similarly, AP(Ai I Aj) 
is the n 2 xl vector of errors in the conditional assertions for all combinations of the n input 
and output assertions. 

Let N be the total number of rules and let AP(Aout I A in) and AP(Aout I ~Ain)be (Nxl) 
vectors of the rule errors. We define the uncertainty vector R to be the following composite 
vector representing all of the assertion and rule errors. 
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AP(A) 


R = 


APCAjIAj) 


AP(A 0Ut IA in ) 


AP(A out l~A in ) J 


(4.4-2) 


The vector R represents the uncertainty in the knowledge base for both assertions and 
rules. Ultimately, the purpose of the sensitivity analyses is to determine the sensitivity of 
errors in A and any attendant decisions that are made as side effects to the errors R. 

Let Rj be the uncertainty vector just before the i 1 * 1 rule firing of the inferencing 
process, and let Rj+i be the uncertainty vector after the i^ 1 rule firing. To perform a 
sensitivity analysis we will first relate the uncertainty vectors Rj, and Rj+i using linear 
transformations. In the following it is assumed that the k* rule is fired at the 1 th firing. 
Thus, we seek a relationship between Rj, and Rj+i of the following form: 

Ri+l=S*Ri (4.4-3) 

k . 

Here S j is^the sensitivity matrix corresponding to the i* firing of the k* rule. An 
expression for § . can be obtained by substituting the expression for AP(Aj n ) in (4.4- lb) 
into (4.4- la) as follows. 


AP(A 0U1 ) = 





(4.4-4) 


Since AP(Ao Ut ) is an element of AP(A), the sensitivity matrix $ * can be constructed from 

an identity matrix with the row corresponding to Aout for the k * rule replaced by the row 
matrix on the right hand side of (4.4-4), namely,: 



For example if A<) Ut for the rule (the i^ 1 rule fired) were the first element of A, then S ^ 
would be given by: 



C 

0 1:0 0 0 
0:100 

0:010 


0 : 0 0 I 


(4.4-6) 


Thus, over several rule firings, we would have, for instance (omitting the rule 
indexing superscript): 


Ri+3 = Si+3 S,+2 Si+iSjRi 


(4.4-7a) 


or in more compact notation: 

Ri+3 = $i+3li Ri (4.4-7b) 

where the multi-step sensitivity matrix Si+3ij is given by 


§i+3li — Si+3 Sj+2 Sj+iSi (4.4-7c) 

Therefore, by storing the individual sensitivity matrices, one can compute the 
sensitivity or assertion errors to the errors existing at any point in the inferencing cycle. 
We now consider two cases: sensitivity to real-time input and a priori assertion errors and 
sensitivity to rule etrors. 

A Priori Assertion Errors 

The sensitivities of assertion errors after the i 1 * 1 rule firing to a priori assertions (those 
held before inferencing has been initiated) are contained in the Multi-step sensitivity matrix 
§il0: 


s ,o= n s j 
j=i 


(4.4-8) 


That is, the uncertainty vector Rq contains the uncertainties in the a priori assertions. 


Real-Time Assertion Errors 

The sensitivities to real-time assertions (those that may be acquired by, for instance, 
sensors during the middle of the inferencing process) are contained in the multi-step 
sensitivity matrix: 
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1 


s ilm = n s j 

j = m 


( 4 . 4 - 9 ) 


where m is the rule firing number corresponding to the time that the real-time assertions 
were acquired. 

It should be noted that the sensitivities contained in the sensitivity matrix apply only 
to the specific sequence of rule firings associated with a specific set of a priori and real-time 
assertions. Thus, operation of the expert system under a variety of scenarios will result in 
unique sensitivity matrices for each scenario. 
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5 RESULTS 


5.1 Problem Description. 

Numerical results are presented for an evaluation of the aircraft longitudinal flight- 
control RMS described in Section 3. The example addresses both the evaluation of the 
stand-alone performance of the expert system as well as the performance of the larger 
redundancy management system in which it is embedded. 


Several simplifying assumptions have been made to narrow the scope of this research 
effort. (For all matrix definitions, the subscript i refers to the column and j refers to the 
row.) The first assumption is that the aircraft control surfaces will fail in one of three 
ways. A control surface can (1) become stuck (2) float (i.e. flap in the breeze) and (3) be 
damaged (e.g. a piece of the control surface is tom off in battle). When the expert system 
is first invoked, we assume that either the FDI has correctly detected that a control surface 
is in in one of the preceding states, or that the FDI has produced a false alarm. We define S 
to be this control surface state vector and assume the following a priori probability 
distribution on these states when the expert system is invoked. 


*o={ p ( s i)) = 


stuck 


0.01 

float 


0.09 

damage 


0.02 

false alarm 


0.88 


(5.1-1) 


The second assumption that we make concerns the conditional probability that an 
attribute is true given the state of the control surfaces as described above. As defined in 
Section 2.2 let A(k) be the attribute vector for control surface k. We define the conditional 
probabilities that the j* attribute Aj(k) is true given that a control surface is in state (i) to be 


Pr[Aj(k) I SJ 


0.80 

0.90 

0.50 

0.50 

0.10 

0.90 

0.50 

0.50 

0.50 

0.50 

0.80 

0.80 

0.10 

0.10 

0.50 

0.10 


for all k (5.1-2) 


It follows from these assumptions that the a priori distribution on the attribute vector 
A is given by 


(P(At)) = 


The final assumptions that we make are to define the a priori conditional probabilities 
that the measured values of the evidence lie within the intervals defined in Section 2.3. 
Recall that in section 2.3 we defined intervals (here represented by I) for the evidence in 


0.11 

0.18 

0.51 

0.15 
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terms of thresholds. These probabilities indicate the probability that a measurement will fall 
within a given interval given that one of the attributes is true or is not true. These matrices 
are defined below 


Pr(Ij I Aj) = 


Pr(Ij I ~A,) = 




0.10 

0.20 

0.70 


0.80 

0.15 

0.05 

1 

0.80 

0.15 

0.05 


0.10 

0.25 

0.65 

(5.1-4) 

0.89 

0.10 

0.01 



0.02 

0.08 

0.90 


0.20 

0.35 

0.45 


0.80 

0.18 

0.02 



respectively. Given these assumptions, we can then proceed to use the evaluation 
methodology to generate reliability and performance results for both the expert system and 
the complete flight control RM system. 


52 Expat System Evaluation Results. 

The direct evaluation methodology defined in Section 4 (not the sensitivity approach) 
was used to compute exact values for the performance parameters of the expert system, 
a = Pr (correcting a false alarm) and £ = Pr(vetoing a correctly identified failure). These 
results were generated for a range of values of Thr, the threshold parameter defined in 
Section 2.3 for rules 15 and 16 of the expert system. The values of these performance 
parameters are presented in Figure 5. 
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As one would expect, the results show that the probability of correcting false alarms 
increases with the size of the threshold Thr. However, as indicated in Figure 5, correcting 
more false alarms comes at the expense of incorrectly overruling the FDI algorithm when 
failures have occurred. Nevertheless over the complete range of operation, the probability 
of correcting the false alarms is greater than the probability of incorrectly overruling the 
FDI algorithm. 



Figure 6. The ratio of a to z versus threshold. 

This result is encouraging in that it suggests that the expert system is helping things 
more than hurting them. If we look at the ratio of a to £ as shown in Figure 6, it can be 
seen that the expert system provides the largest values of this ratio at the lowest values of 
the threshold. However, true insight into the effectiveness of the expert system can only be 
ascertained in the context of the overall system reliability evaluation. 

The evaluation methodology was used to predict the values of a and £ over the range 
of thresholds as shown in Figure 6. To evaluate the accuracy of these results, we 
performed a Monte Carlo simulation to generate values for a and C- The differences 
between the predicted and simulated values are shown in Figure 7, indicating that our 
analytical predictions are correct. 
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FIGURE 7. A COMPARISON OF THE EXPERT SYSTEM EVALUATION WITH SIMULATION. 


S3 Flight Control System Reliability Results. 

The system reliability evaluation is performed using the performance parameters of 
the expert system (a and Q along with the performance parameters for the flight control 
surfaces (X) and the FDI algorithm (p and P). The reliability of the flight control system is 
evaluated for two levels of FDI coverage (P = 1 and p = 0.98) both with and without the 
expert system. The values for the other system parameters are the same as the example 
presented in Section 3, X = 1.0e-5 failures/hour and p = 1.7248e-4 false alarms/hour. The 
time step used in solving the Markov model is At = 0.0167 hours. The reliability is 
presented for an operational period of 1 hour. These results are presented over the range of 
thresholds that were used by the expert system as shown in Figure 8. 

There are two major conclusions that can be drawn from these results. The first and 
perhaps most obvious is that the simple expert system developed for this example has a 
significant negative impact on the reliability of the flight control system. For small 
thresholds the impact of the expert system on system performance is less adverse than for 
large thresholds, but regardless of the the choice of the threshold, the expert system does 
not provide any measure of increased reliability for the aircraft longitudinal flight-control 
system. This observation holds true for both modes of operation for the FDI algorithm 
(P = 1 and p = 0.98). 


! 


i 

i 
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Figure 8. System Reliability with and without the Expert System 

The second conclusion that must be emphasized is that the objective of this effort was 
to evaluate the performance of the expert system. The fact that the expert system that was 
developed to be evaluated turned out to be a poor design is irrelevant. Indeed we would 
expect that an expert system that monitors the performance of a complicated flight-control 
redundancy management system using only 16 rules, 1 man month of design effort and 
questionable expertise is bound to perform poorly. The important observation to be made 
here is that poor performance can be identified early in the design process using such 
analytical evaluation techniques. 
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6 SUMMARY 


6.1 Conclusions. 

A method for evaluating the reliability and performance of systems containing 
embedded rule-based expert systems has been developed. It is a three stage technique. In 
the first stage, a Markov reliability model of the system is developed which identifies the 
key performance parameters of the expert system. In the second stage, the expert system 
evaluation method is used to assign values to the performance parameters of the expert 
system. The performance parameters can be evaluated directly using a probabilistic model 
of the uncertainty knowledge base or by performing sensitivity analyses. In the third and 
final stage, the performance parameters of the expert system are combined with 
performance parameters for other system components and subsystems to evaluate the 
reliability and performance of the complete system. The quantitative results that are 
produced by this evaluation process can be used in the design process of both the expert 
system and the system of which the expert system is embedded. In most situations it will 
be beneficial to use an iterative design process by which the expert system is modified in 
response to its computed impact on the complete system's performance. An iterative 
design process will ultimately lead to both greater effectiveness of and greater confidence in 
real-time expert systems. 

An application of the evaluation method has been presented for the case of a simple 
expert system used to supervise the performance of an FDI algorithm associated with an 
aircraft longitudinal flight-control system. Using the evaluation method it has been shown 
that the proposed expert system has a negative impact on the overall system reliability even 
though it was observed that the expert system did a good job of identifying false alarms. 
This result underlines the importance of examining the effectiveness of expert systems not 
just in terms of their individual performance, but in terms of their impact on system 
performance as well. 

62 Recommendations for Further Research. 

Of the three stages of the evaluation methodology (system modeling, expert System 
evaluation, and system evaluation) the second stage - expert system evaluation - is the area 
where there is the greatest lack of experience and where there is the greatest need for future 
work. The evaluation method that has been proposed assumes that a reasonably good 
model of the expert system's operating environment is available. In many situations this 
may be a good assumption. However, further research into the impact of poor 
environment models on the accuracy of the evaluation method is needed. In the evaluation 
method, errors of compound assertions were approximated as linear in A error terms. 
However, the errors resulting from these approximations should be small. Again, 
however, the effect of this approximation on the evaluation method needs to be investigated 
in more detail. A final area of investigation that should be addressed is the computational 
problems that may be encountered when the evaluation technique is applied to expert 
systems containing large knowledge bases. Some of the computations described in this 
report may become difficult when the number of rules and assertions that are manipulated 
by the expert system become large. It is important to verify that the evaluation method will 
scale up to address realistically sized expert systems. 
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